"Keep your employees, your business, and yourself productive andeffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an idealchoice for any small office or small business looking for performance,security, and reliability in its network."(from the Cisco RV320 product page [1])

More Details============

The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-basedconfiguration interface, which is implemented in various CGI programs inthe device's firmware. Access to this web interface requires priorauthentication using a username and password. Previously, RedTeamPentesting identified a vulnerability (rt-sa-2018-003) [2] in the CGIprogram:

/cgi-bin/export_debug_msg.exp

By issuing an HTTP POST request to this program, it was possible toretrieve various diagnostic information from the device, including itscurrent configuration. This request did not require any priorauthentication. Cisco adressed this vulnerability in firmware version1.4.2.19 [3].

RedTeam Pentesting discovered that the CGI program in the patchedfirmware is still vulnerable. The user agent "curl" is blacklisted bythe firmware and must be adjusted in the HTTP client. Again,exploitation does not require any authentication.

Proof of Concept================

The diagnostic data can be retrieved by issuing an HTTP POST request tothe vulnerable CGI program. OpenSSL is used to decrypt the data with thehard-coded password "NKDebug12#$%" before unpacking it with tar (outputshortened):

This vulnerability is rated as a high risk as it exposes sensitivediagnostic information, such as the device's configuration, tountrusted, potentially malicious parties. By retrieving thisinformation, attackers can obtain internal network configuration, VPN orIPsec secrets, as well as password hashes for the router's useraccounts. Knowledge of a user's password hash is sufficient to log intothe router's web interface, cracking of the hash is not required. Anyinformation obtained through exploitation of this vulnerability can beused to facilitate further compromise of the device itself or attachednetworks.

As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.

More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/

Working at RedTeam Pentesting=============================

RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://www.redteam-pentesting.de/jobs/